Skip to main content

vserver audit modify

Contributors
Suggest changes

Modify the audit configuration

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver audit modify command modifies an audit configuration for a Vserver.

Parameters

-vserver <vserver name> - Vserver

This parameter specifies the name of the Vserver for which the audit configuration is to be modified. The Vserver audit configuration must already exist.

If you have configured time-based rotation, modifying one parameter of time-based rotation schedule does not affect the other parameters. For example, if the rotation schedule is set to run at Monday 12:30 a.m., and you modify the -rotate-schedule-dayofweek parameter to Monday,Wednesday,Friday, the new rotation-schedule rotates the audit logs on Monday, Wednesday, and Friday at 12:30 a.m. To clear time-based rotation parameters, you must explicitly set that portion to "-". Some time-based parameters can also be set to "all".

[-destination <text>] - Log Destination Path

This parameter specifies the audit log destination path where consolidated audit logs are stored. If the path is not valid, the command fails. The path can be up to 864 characters in length and must have read-write permissions.

[-events {file-ops|cifs-logon-logoff|cap-staging|file-share|audit-policy-change|user-account|authorization-policy-change|security-group|async-delete}] - Categories of Events to Audit

This parameter specifies the categories of events to be audited. Supported event categories are: file access events (both CIFS and NFS), CIFS logon and logoff events, Central Access Policy(CAP) staging events, File share events, Audit policy change events, Local User Account Management Events, Local Security Group Management Events and Authorization Policy Change Events. The corresponding parameter values are: file-ops , cifs-logon-logoff , cap-staging , file-share , audit-policy-change , user-account , security-group and authorization-policy-change . By default, file-ops , cifs-logon-logoff and audit-policy-change events are enabled

[-format {xml|evtx}] - Log Format

This parameter specifies the output format of the audit logs. The output format can be either Data ONTAP-specific XML or Microsoft Windows EVTX log format. By default, the output format is EVTX.

[-rotate-size {<size>|-}] - Log File Size Limit

This parameter specifies the audit log file size limit. By default, the audit log is rotated based on size. The default audit log size is 100 MB.

[-rotate-schedule-month <cron_month>,…​] - Log Rotation Schedule: Month

This parameter specifies the monthly schedule for rotating the audit log. For example, you can specify that the audit log is to be rotated during the months January, March, and August, or during all the months. Valid values are January, February, March, April, May, June, July, August, September, October, November, December, and all. Specify "all" to rotate the audit logs every month.

[-rotate-schedule-dayofweek <cron_dayofweek>,…​] - Log Rotation Schedule: Day of Week

This parameter specifies the daily (day of the week) schedule for rotating the audit log. For example, you can specify that the audit log is to be rotated on Tuesdays and Fridays, or during all the days of a week. Valid values are Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and all. Specify "all" to rotate the audit logs every day.

[-rotate-schedule-day <cron_dayofmonth>,…​] - Log Rotation Schedule: Day

This parameter specifies the day of the month schedule for rotating the audit log. For example, you can specify that the audit log is to be rotated on the 10th and 20th days of a month, or all days of a month. Valid values range from 1 to 31.

[-rotate-schedule-hour <cron_hour>,…​] - Log Rotation Schedule: Hour

This parameter specifies the hourly schedule for rotating the audit log. For example, you can specify that the audit log is to be rotated at 6 a.m and 10 a.m. Valid values range from 0 (midnight) to 23 (11:00 p.m.). Specify "all" to rotate the audit logs every hour.

[-rotate-schedule-minute <cron_minute>,…​] - Log Rotation Schedule: Minute

This parameter specifies the minute schedule for rotating the audit log. For example, you can specify that the audit log is to be rotated at the 30th minute. Valid values range from 0 to 59.

{ [-rotate-limit <integer>] - Log Files Rotation Limit

This parameter specifies the audit log files rotation limit. A value of 0 indicates that all the log files are retained. The default value is 0.

| [-retention-duration <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Log Retention Duration }

This parameter specifies the audit log files retention duration. A value of 0s indicates that all the log files are retained. For example, if you enter a value of 5d0h0m0s, logs more than 5 days old are deleted.

[-audit-guarantee {true|false}] - Strict Guarantee of Auditing

This parameter specifies strict guarantee of auditing for a Vserver. If this value is true, file access is denied if audit records cannot be generated. If this value is false, auditing is done on a best-effort basis.

[-charge-qos {true|false}] - Audit Log Extra Charge

This parameter specifies whether the audit logs will incur an extra charge. This extra charge is counted against the Volume's Qos policy. If this value is set to false , it indicates that audit logs will not incur an extra charge.

Examples

The following example modifies the rotate-size and rotate-limit field for Vserver vs1.

cluster1::> vserver audit modify -vserver vs1 -rotate-size 10MB -rotate-limit 3

The following example modifies an audit configuration for Vserver vs1 using the time-based rotation method. The audit logs are rotated monthly, all days of the week, at 12:30.

cluster1::> vserver audit modify -vserver vs1 -destination /audit_log -rotate-schedule-month all -rotate-schedule-dayofweek all -rotate-schedule-hour 12 -rotate-schedule-minute 30

The following example modifies an audit configuration for Vserver vs1 for auditing CIFS and NFS file access events in the output log format EVTX.

cluster1::> vserver audit modify -vserver vs1 -format evtx -events file-ops